Icinga Service Won't start up after setting up API


(Kundan Kumar) #1

Hi Guys,

After setting up API on Icinga2, when I try to run command: Icinga2 daemon -C, its throwing error.

I used command: icinga2 api setup to set up API automatically on Icinga2. This command will create API root user, Certificate and Private key automatically.

However I can see API is enabled. I ran command: icinga2 feature list and its giving Enabled features: api checker command ido-mysql mainlog notification this.

Error I am getting is:

information/cli: Icinga application loader (version: r2.8.1-1)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
critical/SSL: Error on bio X509 AUX reading pem file ‘/var/lib/icinga2/certs//Certificate1.crt’: 151441516, “error:0906D06C:PEM routines:PEM_read_bio:no start line”
critical/config: Error: Cannot get certificate from cert path: ‘/var/lib/icinga2/certs//Certificate1.crt’.
Location: in /etc/icinga2/features-enabled/api.conf: 5:1-5:24
/etc/icinga2/features-enabled/api.conf(3): */
/etc/icinga2/features-enabled/api.conf(5): object ApiListener “api” {
/etc/icinga2/features-enabled/api.conf(6): // accept_config = true
/etc/icinga2/features-enabled/api.conf(7): // accept_commands = true

critical/config: 1 error

I need help on this. Please check and help here.

Thank you.


Since v2.8 the cert path has moved to /var/lib/icinga2/certs, as you are using 2.8.1 (which is quite old) I assume the folder exists and the certificates are placed there?

A quick internet search for Error on bio X509 AUX reading pem file shows similar posts:

I would suggest you snapshot your icinga2 system and then bring it up-to-date. After this try enabling the API again, after you verified that the /var/lib/icinga2/certs foler is readable by the executing icinga2 user (nagios for Debian systems, icinga for e.g CentOS)

(Kundan Kumar) #3

Thanks for your response log1c.

Yes certificates exists at /var/lib/icinga2/certs, but I don’t see any thing inside /etc/icinga2/pki, Can this be a issue ?

And how do you snapshot your icinga2 system and bring it up to date ? As I am quite new to Icinga world.

(Kundan Kumar) #4

And also If I am running command: /etc/init.d/icinga2 start, its not throwing any error. Its giving below output.

[ ok ] Starting icinga2 (via systemctl): icinga2.service.


Creating a snapshot/checkpoint of the machine would be done via the hypervisor you are using to run the VM, e.g Vmware vSphere/ESXi or Microsoft Hyper-V.

Updating icinga2 is done via your normal linux package management tools, like apt (Debian/Ubuntu) or yum(CentOS).

The certificates are in their correct location, the pki directory isn’t used anymore.

(Kundan Kumar) #6

Is there any way to disable this API feature and try again ?


icinga2 feature disable api

(Kundan Kumar) #8

Thanks for the help.

It seems once I ran command icinga2 api setup, the certificate it generated is not working.